Secure Your Connected Medical Device, Protect Your Health

By: Dan DeCloss, Founder and CEO of PlexTrac, Inc.

This week’s theme for NCSAM, “Securing Internet-Connected Devices in Healthcare” is one that I’m quite familiar with from my past security experience. My time working at the Mayo Clinic, Anthem Blue Cross, and various companies in healthcare as a consultant exposed me to the cybersecurity risks related to medical devices.

What’s the Risk Really?

Within a hospital system, the number one priority is patient safety. Simultaneously, technology plays a critical role in the advancement of medicine and standard of patient care. Thus, the convergence of security risks in technology and patient safety is inevitable. There are multiple scenarios based on my experience that could create significant threats to patient safety. Thus, hospitals, clinics, and medical device vendors need to take security seriously and develop robust security programs throughout all stages of the product lifecycle, from the time the product is designed to how it’s deployed in the hospital or in the patient’s home. The concern about the security of connected medical devices and protecting not only patient data, but actual patient health is real.

When testing medical devices, we found large disparities in security protections amongst various devices. Those that had been around awhile, aka “legacy” devices, didn’t always take security into account in the design process. The good news is that medical device manufactures are also recognizing the risks and improving security in new devices and new models and software updates to existing machines.

The industry is becoming more aware, but patients also need to consider their responsibility to protect themselves. Device security must always be a collaboration between the manufacturer and the consumer, but awareness of the threat is key to either group successfully mitigating risk.

Medical devices are just like any internet-connected computer, laptop, cell phone, or smart TV. Despite the fact that medical devices can have the same kinds of vulnerabilities, patients and device manufacturers have not traditionally thought of them in that way. The primary focus is on the convenience and consistency they can supply in tracking vital information or delivering medication in an information-driven world. The possibility that these amazing tools could be compromised just doesn’t enter most people’s minds. After all, who would want to hack an insulin pump anyway?

This very issue made the news in 2011 when cybersecurity expert and Type 1 diabetic Jay Radcliffe hacked his own insulin pump to demonstrate the vulnerabilities of his device and their potentially life-threatening consequences. Despite the controversy his research stirred up, Radcliffe made his point that although the likelihood of nefarious attack to a wireless connected medical device—like an insulin pump, pacemaker, or defibrillator—is slim, the stakes are high.

What’s the Average Patient to Do?

Before anyone throws out their continuous glucose monitor for fear some lurker is also monitoring their blood sugar for an unknown nefarious purpose, consider the risk versus reward. These devices improve and save lives, and we would no sooner get rid of them due to their security issues than toss out our cell phones because of theirs. However, we can be informed users and continue to set high expectations.

Fortunately, the average consumer can take some simple steps to reduce the vulnerability of their medical devices just like they can reduce the risk to any internet-connected device.

1. Be your own advocate. Just like you would ask questions about the side effects of a prescribed medication, you should research and ask questions about the security of a prescribed medical device. Do your research or call the manufacturer. Even if the device isn’t as secure as it should be, you’ll be more aware of potential risks, and the maker will have heard concerns directly from a customer.

2. Secure your home network. Anytime you bring a new device into your home you are opening yourself up to security risks. A medical device is no different. If you don’t already take steps to ensure your home network is safe and protected, now is the time. You spend the most time at home and so will your medical device, which means securing your home network is the most effective way to secure your device.

In assuring your personal cybersecurity, awareness is half the battle. Unfortunately, awareness around the security of connected medical devices tends to be low. Get informed and do your part to #becybersmart. Your health, or the health of someone you love, could depend on it.